Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

permission: fix spawnSync permission check #46975

Closed

Conversation

RafaelGSS
Copy link
Member

@RafaelGSS RafaelGSS commented Mar 6, 2023

It was missing in the original PR #44004.

Fixes: https://github.com/nodejs-private/node-private/issues/394

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. labels Mar 6, 2023
@RafaelGSS RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 6, 2023
Copy link
Contributor

@cjihrig cjihrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 6, 2023
@nodejs-github-bot
Copy link
Collaborator

@RafaelGSS RafaelGSS force-pushed the fix/add-permission-spawn-check branch from 41d0d74 to 693b833 Compare March 6, 2023 19:42
@RafaelGSS RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 6, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 6, 2023
Fixes: nodejs-private/node-private#394

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
@RafaelGSS RafaelGSS force-pushed the fix/add-permission-spawn-check branch from 693b833 to 67f3bce Compare March 6, 2023 22:07
@RafaelGSS
Copy link
Member Author

RafaelGSS commented Mar 6, 2023

@RafaelGSS RafaelGSS added the fast-track PRs that do not need to wait for 48 hours to land. label Mar 7, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2023

Fast-track has been requested by @RafaelGSS. Please 👍 to approve.

@RafaelGSS
Copy link
Member Author

Requesting fast-track because I'll work on the v19.8.0 proposal tomorrow and we need to have this patch.

@RafaelGSS RafaelGSS added the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 7, 2023
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Mar 7, 2023
@nodejs-github-bot
Copy link
Collaborator

Commit Queue failed
- Loading data for nodejs/node/pull/46975
✔  Done loading data for nodejs/node/pull/46975
----------------------------------- PR info ------------------------------------
Title      permission: fix spawnSync permission check (#46975)
Author     Rafael Gonzaga  (@RafaelGSS)
Branch     RafaelGSS:fix/add-permission-spawn-check -> nodejs:main
Labels     child_process, c++, fast-track, needs-ci
Commits    1
 - permission: fix spawnSync permission check
Committers 1
 - RafaelGSS 
PR-URL: https://github.com/nodejs/node/pull/46975
Fixes: https://github.com/nodejs-private/node-private/issues/394
Reviewed-By: Colin Ihrig 
Reviewed-By: Anna Henningsen 
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/46975
Fixes: https://github.com/nodejs-private/node-private/issues/394
Reviewed-By: Colin Ihrig 
Reviewed-By: Anna Henningsen 
--------------------------------------------------------------------------------
   ⚠  Commits were pushed since the last review:
   ⚠  - permission: fix spawnSync permission check
   ℹ  This PR was created on Mon, 06 Mar 2023 16:46:11 GMT
   ✔  Approvals: 2
   ✔  - Colin Ihrig (@cjihrig) (TSC): https://github.com/nodejs/node/pull/46975#pullrequestreview-1326742875
   ✔  - Anna Henningsen (@addaleax): https://github.com/nodejs/node/pull/46975#pullrequestreview-1327221779
   ℹ  This PR is being fast-tracked
   ✔  Last GitHub CI successful
   ℹ  Last Full PR CI on 2023-03-06T22:59:26Z: https://ci.nodejs.org/job/node-test-pull-request/50242/
- Querying data for job/node-test-pull-request/50242/
   ✔  Last Jenkins CI successful
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu
https://github.com/nodejs/node/actions/runs/4356000066

@RafaelGSS
Copy link
Member Author

Landed in b164038

RafaelGSS added a commit that referenced this pull request Mar 7, 2023
Fixes: nodejs-private/node-private#394

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: #46975
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <rlau@redhat.com>
@RafaelGSS RafaelGSS closed this Mar 7, 2023
@tniessen
Copy link
Member

tniessen commented Mar 7, 2023

Requesting fast-track because I'll work on the v19.8.0 proposal tomorrow and we need to have this patch.

Maybe we should consider letting it bake on main for a while longer, given that this kind of bug would otherwise trigger the security release workflow?

@RafaelGSS
Copy link
Member Author

Maybe we should consider letting it bake on main for a while longer, given that this kind of bug would otherwise trigger the security release workflow?

I don't see much value in it, at least for this particular feature. It's useful when it's a significant change or notable change being released in an LTS release. @cjihrig found the bug as a Node.js maintainer, I don't see other Node.js contributors finding it as they are unlikely to use it. Errors like this will be encountered (if any) by users and as you stated, would be fixed in a security release -- but, I don't see the baking time avoiding it though.

However, if you feel strongly about the baking time of this feature, I can postpone it to v19.9.0. Just let me know.

@tniessen
Copy link
Member

tniessen commented Mar 7, 2023

That's a good point. I don't feel strongly about it. I am only bringing this up because I think it is very likely that this feature will lead to vulnerability reports shortly after being released, simply because it significantly increases the attack surface and has only been reviewed by very few people so far. Letting it bake might lead to more issues like this being found that can be fixed publicly, but it might just as well be unlikely.

@RafaelGSS
Copy link
Member Author

Well, skipping it for v19.8.0 won't hurt. Let's release the permission model in v19.9.0 then. I will include the blocked label.

@RafaelGSS RafaelGSS added the blocked PRs that are blocked by other issues or PRs. label Mar 7, 2023
targos pushed a commit that referenced this pull request Mar 13, 2023
Fixes: nodejs-private/node-private#394

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: #46975
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <rlau@redhat.com>
@targos targos added backport-blocked-v19.x and removed blocked PRs that are blocked by other issues or PRs. labels Mar 14, 2023
@RafaelGSS RafaelGSS added dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. backport-blocked-v16.x backport-blocked-v18.x PRs that should land on the v18.x-staging branch but are blocked by another PR's pending backport. dont-land-on-v18.x PRs that should not land on the v18.x-staging branch and should not be released in v18.x. and removed dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. backport-blocked-v16.x backport-blocked-v18.x PRs that should land on the v18.x-staging branch but are blocked by another PR's pending backport. labels Apr 3, 2023
@tniessen tniessen added the permission Issues and PRs related to the Permission Model label Aug 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. child_process Issues and PRs related to the child_process subsystem. commit-queue-failed An error occurred while landing this pull request using GitHub Actions. dont-land-on-v18.x PRs that should not land on the v18.x-staging branch and should not be released in v18.x. fast-track PRs that do not need to wait for 48 hours to land. needs-ci PRs that need a full CI run. permission Issues and PRs related to the Permission Model
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants